On Fri, Feb 18, 2000 at 01:27:34PM -0500, Michael E. Cummins wrote:
> > -----Original Message-----
> > From: EXT-Springer, Aaron C [mailto:[EMAIL PROTECTED]]
> > I think that a scan is just a scan, I would hate to have it come
> > to the point where doing a scan on somebody gets your ISP account
> > revoked. This country is turning into a police state as it is.
> > I can see a future where any kind of probing is deemed illegal by
> > the Gestapo. In the UK if you don't give up your crypto keys
> > when the Gov. asks, you go to jail. The day may come when having
> > strobe or nmap on your machine is illegal..
> >
> > If they do more than a scan then, hey give it to `em...
>
> The more I think about it, the more I am questioning my initial zeal in
> spanking this fellow. I think that you have a valid point, but I am still
> uncomfortable with what appears to me to be a script kiddy scanning a broad
> number of addresses looking quite specifically for Trojan infected machines.
A scan just doesn't "happen". It's done for a reason. Nothing is illegal
about walking down your block, and knocking on all the doors, but I bet
you'd get someone pissed off enough to call the police, and they would
make you leave.
> I myself have a fear of the way some of our legislators are looking at
> "cyber crime", "cryptology" and various other internet related issues.
> Keeping the discussion list-specific, as an operator of numerous
> firewalls...
>
> What is our responsibility to this?
>
> Do we wait for the attacker to "breach" before reacting? Or do we try to
> determine on a case by case basis what the intent of the anomaly was? I
> have always favored preventive action over corrective, but I am trying to
> find a happy balance here between ethics, logistics and behavioral
> precedents that I will pass on to my employees.
We employ 'threat assessment'. We don't act on every probe (over 200
yesterday), but if it happens more that 1 time, we lock them out at the
router. I don't wait for the problem to occur.
> Some of us cannot deal with the number of probes received per day, it would
> be a logistic impossibility. (Luckily, I am not one of these. Currently, I
> co-locate servers and pay for the services.) Thus, I can understand a
> policy based on "Well, what did they actually get away with?"
>
> Or is that too lax?
It all depends on your policy.
> If we find ourselves with the time and the resources, do we have the
> obligation to swat the flies? Am I correct in perceiving that the majority
> of intrusions today are from people that actually have little knowledge of
> the principles their downloaded tools are based upon - and a bit too much
> time on their hands?
>
> In my case, I just shared my logfiles with the German ISP that we assumed
> the port scanning originated from. I stressed that no damage was done, and
> no successful breach took place. I just alerted them that the event took
> place, as a courtesy to them. At least, that truly is the spirit I sent it
> in after thinking about everything a few times.
This may be enough in your situation. We are actually required, depending on
how you read the rules we have to follow, to report *all* attempts to CIAC.
Looking at the weekly reports they generate, some sites actually do. Most
of these things are simply an annoyance, and not even a threat, no less an
incident.
Tim
--
(work) [EMAIL PROTECTED] / (home) [EMAIL PROTECTED] - http://www.buoy.com/~tps
Lord, grant me the serenity to accept the things I cannot change,
the courage to change the things I can, and the wisdom to hide the
bodies of the people I had to kill because they pissed me off - Anon.
** Disclaimer: My views/comments/beliefs, as strange as they are, are my own.**
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
